You can set up Threat Defender to restrict access to certain websites for a certain time.
This example shows how to use the following concepts:
- Correlation scenarios
- Event tracking tables
Objective
YouTube access is restricted to 5 minutes. Afterwards, YouTube is blocked for an hour.
To implement this, you need to set up a correlation scenario with two event tracking tables and a dedicated rule set.
Creating the Correlation Scenario
First, set up the correlation scenario that will contain the rules and event tracking tables.
- Navigate to Policy > Advanced Correlation.
- Click ADD.
- Enter a Name and an optional Note.
- Click SAVE.
Creating the Event Tracking Tables
In the correlation scenario, create two event tracking tables. One stores users for 5 minutes, the other stores users for one hour. This way, two lists with YouTube users are created.
The event tracking tables track the users. Since we only want to track the primary attribute, i.e. theUser,None as secondary attribute. This is important as Threat Defender would compare the attribute pairs if a secondary attribute was selected. In that case, the rules would not match.
The following table shows the required settings of the event tracking tables:
| Name | Retention Time | Primary Attribute Type | Max. Number of Primary Attributes | Secondary Attribute Type | Max. No. of Secondary Attributes per PrimaryOne |
| 1 hour users | 3600 | User | 100 | None | 1 |
| 5 min users | 300 | User | 100 | None | 1 |
Note: Under Maximum Number of Primary Attributes, make sure that both tables are large enough to fit the number of users in your network.
Creating the Rule Set
Set up a rule set of five rules in the correlation scenario:
- Rule 1 allows all traffic except YouTube.
- Rule 2 allows YouTube access for users on the five minutes list.
- Rule 3 rejects YouTube access for users on the one hour list.
- Rule 4 adds users to the five minutes list who started a new YouTube connection.
- Rule 5 adds users generating YouTube traffic to the one hour list.
The following table shows the required rule settings:
| Rule | Source | Desti-nation | Condition | Actions |
| 1 | Any | Any | Classification Excluded Applications/ Protocols: YouTube | Final Action: Allow Traffic and Skip to Next Scenario |
| 2 | Any | Any | Classification Excluded Applications/ Protocols: YouTube Advanced Correlation Condition: Event in Event Tracking Table Event Tracking Table: 5 min users | Final Action: Allow Traffic and Skip to Next Scenario |
| 3 | Any | Any | Classification Excluded Applications/ Protocols: YouTube Advanced Correlation Condition: Event in Event Tracking Table Event Tracking Table: 1 hour users | Final Action: Reject Traffic and Stop Processing |
| 4 | Any | Any | Classification Excluded Applications/ Protocols: YouTube | Add to Event Tracking Table Event Tracking Table: 5 min users Primary Attribute: User Secondary Attribute: None |
| 5 | Any | Any | Classification Excluded Applications/ Protocols: YouTube | Add to Event Tracking Table Event Tracking Table: 1 hour users Primary Attribute: User Secondary Attribute: None |
Click APPLY CHANGES to activate your configuration changes.
Result
The system processes the specified rule set in a top-down approach:
- The system allows all traffic but YouTube.
- For YouTube traffic, the system checks if the requesting user is in any of the event tracking tables:
- If the user is on the 5 min users list, Threat Defender allows YouTube access and skips to the next correlation scenario.
- If the user is not on the 5 min users list but on the 1 hour users list, Threat Defender rejects YouTube access and skips to the next correlation scenario.
- If the user is on none of the two lists, Threat Defender adds the user to both event tracking tables.